All but Florida, South Dakota apply for federal cyber grants allocated by infrastructure bill
All but two U.S. states and territories have applied for federal funding set aside last year to help local communities address cybersecurity issues, with Florida and South Dakota the notable exceptions.
As part of the $1.2 trillion infrastructure spending deal signed into law last year, $1 billion was allocated to state and local governments to upgrade their cybersecurity defenses.
The program is being administered by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA). States were urged to send in applications late last year for a portion of the first $185 million tranche.
During a cybersecurity event in January, CISA Deputy Assistant Director of Stakeholder Engagement Trent Frazier said 54 states and territories had applied by the November deadline, and awarded funding will be distributed once the plans for how the money will be spent have been reviewed.
“We would have loved to see all 56 states and territories apply for their allocation. Unfortunately two opted not to apply for that allocation in year one on principle,” he said. “We will certainly invite them to apply again in year two because we believe that across the country, there are needs that need to be addressed and this is a viable program to ensure that our local communities and our states have resources to address those needs.”
Frazier later confirmed that the two states that did not apply are Florida and South Dakota.
State officials in Florida and others from the office of Governor Ron DeSantis directed The Record to the state’s cybersecurity department – the Florida Digital Service – which attributed the move to concerns about the application process for funding.
A spokesperson said the program “maintains invasive and bureaucratic requirements that will do little to enhance Florida’s cybersecurity capabilities.”
The spokesperson also pointed to the millions of dollars the state already plans to spend on cybersecurity over the next fiscal year. They added that the state has created its own $30 million grant program for local governments to strengthen their cybersecurity abilities.
The state increased pay for state cybersecurity employees and allocated $50 million to improve cybersecurity resilience within state agencies, $30 million for state and local government employee cybersecurity training and $7 million on a cybersecurity risk assessment of the state's critical infrastructure.
They plan to formally launch the program in the coming weeks and said they would reroute all of the local communities who submitted applications for federal funding to the state program.
The spokesperson claimed the state program has the capacity to cover the costs associated with the requested projects without the need for communities to match funding, allowing “local applicants to retain their funds.”
Dan Hoblick, a spokesperson for South Dakota Governor Kristi Noem, similarly defended the state’s decision to decline the federal cybersecurity funding.
Hoblick said Noem had allocated “substantial” funds into state cybersecurity during the latest legislative session – including $30 million for a cybersecurity applied research lab at Dakota State University – and criticized CISA for the “substantial administrative burdens” and “lack of clarity” around what was needed to apply for the grants.
Hoblick also took issue with the year-to-year application structure of the federal grant program – an issue CISA’s Frazier admitted other states expressed concerns about as well.
“South Dakota will continue to evaluate the program as more information is made available. The current structure, as presented by CISA within the Infrastructure Investment and Jobs Act grant opportunity, only gives temporary funding,” Hoblick said.
“However, any projects would require substantial long-term investments by both state and local governments, specifically in funding and administrative oversight.”
Both states have been in the news in recent weeks over cybersecurity failings. On Friday, one of the biggest hospitals in Tallahassee was forced to turn away patients and cancel non-emergency surgeries after a cyberattack.
Two weeks ago, Noem admitted that her personal cell phone number was hacked and used to place hundreds of scam phone calls.
Both Noem and DeSantis are weighing 2024 runs for the White House against President Joe Biden, who signed the infrastructure spending deal into law. Officials in Florida and South Dakota did not explain specifically what kind of administrative hurdles they faced during the application process.
CISA declined to comment on the criticisms, directing The Record to their initial announcement about the program.
“We encourage all eligible entities to apply for grant funds to protect our critical infrastructure and communities from malicious cyber activity and to grow their partnership with CISA,” CISA director Jen Easterly said at the time.
A multi-year effort
During the panel on the funding process, CISA’s Frazier addressed some of the concerns applicants had expressed about the process, noting that CISA tried to tailor the yearly grant process to allow for multi-year projects to fit within the applications. While the funding will be dispersed year-to-year, the program lasts for four years and applications can include two-year projects.
After the $185 million dispersed in the first year, $400 million will be doled out in year two, followed by $300 million in year three and $100 million in year four, according to Frazier.
Frazier said part of CISA’s goal with the funding application process was to get states to coordinate among themselves and think about their cybersecurity needs and the potential gaps in funding they may face when addressing a range of issues, including cybersecurity staffing, security product purchases, awareness drives, and more.
"The intent and the design of the program as it is structured today is to allow states the opportunity to assess where they have critical vulnerabilities and begin to build mitigations or capabilities to address those vulnerabilities over time," he explained.
He went on to say that they want states to think of the funding as part of a multi-year effort and urged states to submit plans that included potential needs in year two, three and four of the program.
What the funds will be used for
During the panel, state-level cybersecurity officials noted that some counties, towns and municipalities had issues finding people qualified enough to fill out applications for funding. To address this, CISA created avenues within the funding program that allow state officials to apply for funding on behalf of local communities. States can either apply for funding and allocate it themselves or take the funding and provide the services to local communities.
“Where possible, make the state do the hard work,” Frazier said. “We need to be making investments that prepare us and position us for tomorrow. Over the next three to four years, we very much want to continue to move this program forward in a way that fundamentally allows states to make those investments and to assess how resilience has continued to grow over time.”
Marisol Cruz Cain, director of the U.S. Government Accountability Office’s information and cybersecurity team and a panelist at the forum, said many states will spend their portion of the funds on ransomware protections, data backups, basic cybersecurity protections, risk management frameworks as well as training and awareness.
Some said they also plan to use the funding to shore up cyber staffing shortages and maintain the limited staff that they already had. Other states wanted to centralize their infrastructure to fortify protections.
Rita Reynolds, chief information officer for the National Association of Counties, said she had spoken to dozens of counties across the country that wanted to use the funding for data protection.
She noted that counties handle troves of sensitive data – from information on children services to more covering criminal justice, mental health, elderly services, tax data, permits, housing information and elections – that needed the protection of sophisticated cybersecurity tools.
Reynolds added that other counties wanted funding for annual cybersecurity awareness trainings, IT staffing, higher salaries, multi-factor authentication, anti-virus protections for state-level staff members and quarterly phishing tests. Some also wanted better protections for .gov websites and county websites that are often under attack.
The legislation signed into law requires states and territories to distribute at least 80% of the funds to local governments with a minimum of one quarter of the allocated funds distributed to rural areas.
“That distribution can be in the form of funds awarded to sub-recipients or as value-in-kind services within/across their jurisdictions,” CISA official Bess Mitchell said.
As with all federal grants, progress reports are required alongside quarterly financial reports that get reported to FEMA.
Roseville, California Chief Information Officer Hong Sae said he was coordinating with other municipalities across California to ask for funding for pentesting, disaster recovery tools and more.
He noted that the planning process in and of itself was a worthwhile effort because it leads cybersecurity stakeholders across the state to communicate with one another, share insights and coordinate on potential needs.
Texas Higher Education Coordinating Board’s Zhenzhen Sun said her organization would use the funding to implement zero-trust security architecture across their cloud systems. It would also go towards upskilling and reskilling staff members in an effort to redeploy valued employees in sorely-needed cybersecurity roles.
Frazier said it is CISA’s hope that there will be a dramatic change in the cyber posture of the country’s states and local municipalities.
“We see the pace of change in technology only continuing to accelerate, so that gap between capabilities will only continue to grow unless we make very thoughtful and critical investments now to improve the posture of our communities today in preparation for a posture tomorrow that far exceeds what each of us currently thinks about," he said, later referencing how quantum computing will affect encryption.
"We need to be making investments to position us for tomorrow."
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.